diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-23 21:06:54 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-23 21:06:54 +0300 |
| commit | 70ea29483a5fcb82ddc89d656227194560b502f2 (patch) | |
| tree | d90db794f0ae7419b81e2b466ec017565ca176eb /include/tests_squid | |
| parent | 9e9b95e1daf9d64d7753d37b48e88697b297fa36 (diff) | |
Code enhancements
Diffstat (limited to 'include/tests_squid')
| -rw-r--r-- | include/tests_squid | 74 |
1 files changed, 37 insertions, 37 deletions
diff --git a/include/tests_squid b/include/tests_squid index d1ce53d6..6d36baa3 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -22,7 +22,7 @@ # ################################################################################# # - SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc" + SQUID_DAEMON_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/squid ${ROOTDIR}etc/squid3 ${ROOTDIR}usr/local/etc/squid ${ROOTDIR}usr/local/squid/etc" SQUID_DAEMON_CONFIG="" SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25" SQUID_DAEMON_RUNNING=0 @@ -43,11 +43,11 @@ FOUND=0 # Check running processes FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: No running Squid daemon found" Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -73,10 +73,10 @@ SQUID_DAEMON_CONFIG="${I}/squid3.conf" fi done - if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then + if [ -z "${SQUID_DAEMON_CONFIG}" ]; then LogText "Result: No Squid configuration file found" Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW - else + else LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN fi @@ -86,22 +86,22 @@ # # Test : SQD-3606 # Description : Check Squid version - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${SQUIDBINARY}" = "" ]; then + if [ ! -z "${SQUIDBINARY}" ]; then LogText "Result: Squid binary found (${SQUIDBINARY})" # Skip check if a setuid/setgid bit is found - FIND=$(find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print) - if [ "${FIND}" = "" ]; then + FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print) + if [ -z "${FIND}" ]; then FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }') Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN SQUID_VERSION="${FIND2}" - else + else LogText "Result: test skipped for security reasons, setuid/setgid bit set" Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED fi - else + else LogText "Result: no Squid binary found" fi fi @@ -110,7 +110,7 @@ # # Test : SQD-3610 # Description : Check Squid configuration options - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" @@ -127,18 +127,18 @@ # # Test : SQD-3613 # Description : Check Squid configuration options - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 - else + else LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN AddHP 2 2 @@ -147,7 +147,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid access control" fi # @@ -155,15 +155,15 @@ # # Test : SQD-3614 # Description : Check Squid authentication - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check auth_param option for authentication methods" FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }') - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW - else + else Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN for I in ${FIND}; do LogText "Result: found authentication method ${I}" @@ -176,15 +176,15 @@ # # Test : SQD-3616 # Description : Check external Squid authentication - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check external_acl_type option for external authentication helpers" FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "No external_acl_type found" Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW - else + else Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN for I in ${FIND}; do LogText "Result: found external authentication method helper" @@ -207,7 +207,7 @@ if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED - else + else for I in ${FIND}; do N=$((N + 1)) I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') @@ -229,18 +229,18 @@ N=0 LogText "Test: checking ACL Safe_ports http_access option" FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports") - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" - else + else LogText "Result: checking ACL safe ports" FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }') - if [ "${FIND2}" = "" ]; then + if [ -z "${FIND2}" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" AddHP 0 1 - else + else LogText "Result: Safe_ports found" for I in ${FIND}; do LogText "Found safe port: ${I}" @@ -252,10 +252,10 @@ for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do LogText "Test: Checking port ${I} in Safe_ports list" FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}) - if [ "${FIND2}" = "" ]; then + if [ -z "${FIND2}" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 1 1 - else + else Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" AddHP 0 1 @@ -266,7 +266,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid Denial of Service tuning options" fi # @@ -274,18 +274,18 @@ # # Test : SQD-3630 [T] # Description : Check reply_body_max_size value - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking option reply_body_max_size" FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." - else + else LogText "Result: option reply_body_max_size configured" LogText "Output: ${FIND}" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN @@ -295,7 +295,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid general options" fi # @@ -303,16 +303,16 @@ # # Test : SQD-3680 # Description : Check httpd_suppress_version_string - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on") - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: option httpd_suppress_version_string not configured" Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." - else + else LogText "Result: option httpd_suppress_version_string configured" LogText "Output: ${FIND}" Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN |